Spam Filter ISP Support - How to prevent Backscatter in ISP Spamfilter

How to prevent Backscatter in ISP Spamfilter

Printed From: LogSat Software
Category: Spam Filter ISP
Forum Name: Spam Filter ISP Support
Forum Description: General support for Spam Filter ISP
URL: https://www.logsat.com/spamfilter/forums/forum_posts.asp?TID=6835
Printed Date: 27 December 2024 at 12:03pm

Topic: How to prevent Backscatter in ISP Spamfilter

Posted By: morten44
Subject: How to prevent Backscatter in ISP Spamfilter
Date Posted: 20 May 2010 at 11:40am

Hi.

We have an issue with our mail server. We sometimes get blocked on

Backscatterer.org

We have ISP Spamfilter infront of Imail 8.22 server

If I understand correct, we get blocked because we "bouce" delivery failed mail back to sender that sometime is not the real sender. Therefore its taken as spam.

I understand we have to configure the system, only to "bounce" delivery failed messages back to LOCAL users, not external users.

So my question is;

Is this something we need to setup in ISP spamfilter or is it in the Imail Server?

we are using ISP for all incomming mails. we do not use ISP Spamfilter to validate any outgoing smtp.

Our IMAIL Smtp is using "no relay" and "smtp authentcation"

can you give me any idea if I can add settings in ISP spamfilter to prevent this and if yes, what.

Or will it be a Imail Configuration setting

regards
Morten

Replies:

Posted By: jerbo128
Date Posted: 20 May 2010 at 10:22pm

Morten,

we once used imail 822 also and it's failure to use was the backscatter. Spamfilter for the most part does not backscatter. But Imail 822 has many vulnerabilities and we found it to difficult to plug them all. My advice, find a new mail server.

Posted By: LogSat
Date Posted: 21 May 2010 at 10:20am

Morten,

When SpamFilter receives an email that passes all filtering rules, it forwards it to your destination SMTP server. If that user does not exist, or if their mailbox is full for example, your SMTP server will reject the email attempt. At that point, SpamFilter has to notify the sender that the email was not delivered, and this is (was) done by sending a NDR (non-deliverable report) email back to the sender. If you send out too many of these NDRs, then yes, that may cause the SpamFilter server to be blacklisted. This scenario can be greatly reduced by implementing a "Authorized TO" whitelist, which contains a list of valid email addresses on your mail server. SpamFilter will only accept emails to addresses on that list, which practically eliminates the backscatter issue, and has the great benefit of reducing spam, as spammers who attempt to "guess" valid email addresses will be blocked by SpamFilter's blacklist cache.

This said... a few weeks ago we released a new version of SpamFilter (v4.2.4.830) which completely changes how SpamFilter processes emails. In particular, this feature is exactly what you're looking for:

/ New to VersionNumber = '4.2.4.830';

{TODO -cNew To avoid backscatter, if an incoming email passes all filtering rules, but cannot be forwarded (ex. mailbox full, non-existent user), SpamFilter maintains open the incoming remote connection until it can verify with the destination server that the email can be delivered. If not, a 5xx error is output forcing the remote server to generate the NDR, rather than having SpamFilter send an NDR notification email}

-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP

Posted By: morten44
Date Posted: 21 May 2010 at 6:02pm

Thanks for the answer.

I think the first option to make a list of all valid emails is not a good option, as we have about 100 domains and each of them can create their own addresses. It would be hard to maintain.

About the newest version: 4.2.4.830 we have installed some weeks ago.

However we got blacklisted 3 days ago.

By Standard we are using very minimal filtering.

We basically only use the MAPS servers as filter and that has generally worked OK.

We started to get alot of spam from local so we added some more filters but the day after we got bloked. I assume tha its a coinsident that the blocking happened after also applying SFDB on nr4.

In this new version, Is it by default that it should work that way?

Another potential problem

We have ISP listening on port 25 and forwards to Imail Server port 2225.

When our users sends mail out they set port 2225 in outlook and send directly from Imail SMTP and it does not pass ISP when sending.

Is there a chance that ISP is working as it should, and the problem is that its Imail who when address is not found, sends a postmaster mail to sender?

Regards

Morten

Posted By: LogSat
Date Posted: 25 May 2010 at 2:30pm

Morten,

The new behavior is standard on this new release, there is nothing that needs to be enabled. Please note however that there may be other reasons why someone may get blacklisted, often caused by viruses within a network that may be sending huge amounts of spam to the internet. Usually the sites that blacklist you are able to provide you with details on the "why" the IP/subnet was blocked, which would then pinpoint the problem.

For the Imail question, if your user sends an email to a non-existent user, the bounce back would usually go back to your user, however the remote server would detect the incoming email to the non-existent user. If these are isolated email attempts it wouldn't be a problem, but if the user is infected/spamming and is sending out a lot of emails, then yes, this would be an issue.

-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP

Posted By: morten44
Date Posted: 27 May 2010 at 6:02pm

Hi Roberto

Thanks for your very well and detailed explenation as always :)

Regards

Morten